[PATCH 0/4] Add MAC authentication support to the Babel protocol
Toke Høiland-Jørgensen
toke at toke.dk
Sun Feb 23 23:56:33 CET 2020
This series adds MAC authentication support to the Babel protocol as specified
in by the IETF Babel working group in draft-babel-hmac-10:
https://tools.ietf.org/html/draft-ietf-babel-hmac-10
An initial RFC patch series was posted here in July 2018[0]. Since then, the
protocol specification has progressed through the IETF, to the point where it is
now in the IESG publication queue as a proposed standard RFC. This version of
the patch series updates the implementation to correspond to the final version
of the draft, and also addresses the review comments from the initial RFC patch.
The major changes are:
Major updates to the specification (for a full list see the draft appendix):
- Added Blake2s as a recommended algorithm
- Updated terminology to use MAC everywhere instead of HMAC (since Blake is not
an HMAC algorithm).
- Added expiration of neighbours and rate limiting of challenge replies
- Update TLV type numbers after IANA allocation
In addition, the following changes have been made to the implementation:
- Add wrapper function to bird sysdep code to pick a suitable source of random
bytes
- Import reference Blake2 implementations into lib/
- Rename function names and data structures to use an auth_ prefix instead of hmac_
- Perform a separate authentication pass before parsing the packet, and move the
authentication-related code to its own source file
- Enforce key length recommendation from the specification
- Add a 'permissive' configuration mode where outgoing packets are signed but
incoming packets are accepted even though they fail authentication
- Add user documentation for the authentication configuration, and function
docstrings to the main authentication functions
- Fix a bunch of nits and code style issues
I have performed basic interoperability testing between this implementation and
the current babeld HMAC implementation[1]. The two implementations were able to
successfully exchange authenticated messages with both HMAC-256 and Blake2s keys.
Given the above, and the close-to-final state of the specification at the IETF,
I believe this series is ready for merging (subject to review, of course). For
those wanting to test the code, a version of Bird with this series applied is
available on Github[2] for easy consumption.
Cheers,
-Toke
[0] http://trubka.network.cz/pipermail/bird-users/2018-July/012536.html
[1] https://github.com/jech/babeld/pull/52
[2] https://github.com/tohojo/bird/tree/babel-mac-01
---
Toke Høiland-Jørgensen (4):
sysdep: Add wrapper to get random bytes
nest: Add Blake2s and Blake2b hash functions
babel: Refactor packet parsing code for reuse in authentication checks
babel: Add MAC authentication support
aclocal.m4 | 49 ++++
conf/conf.c | 1
configure.ac | 15 +
doc/bird.sgml | 38 +++
lib/Makefile | 2
lib/birdlib.h | 2
lib/blake2-impl.h | 160 +++++++++++++
lib/blake2-ref.h | 112 +++++++++
lib/blake2.c | 46 ++++
lib/blake2.h | 67 ++++++
lib/blake2b-ref.c | 270 ++++++++++++++++++++++
lib/blake2s-ref.c | 263 ++++++++++++++++++++++
lib/mac.c | 7 +
lib/mac.h | 2
nest/config.Y | 4
proto/babel/Doc | 1
proto/babel/Makefile | 4
proto/babel/auth.c | 593 +++++++++++++++++++++++++++++++++++++++++++++++++
proto/babel/babel.c | 33 ++-
proto/babel/babel.h | 54 ++++
proto/babel/config.Y | 38 +++
proto/babel/packets.c | 294 +++++++++++++-----------
proto/babel/packets.h | 96 ++++++++
sysdep/unix/random.c | 78 ++++++
24 files changed, 2068 insertions(+), 161 deletions(-)
create mode 100644 lib/blake2-impl.h
create mode 100644 lib/blake2-ref.h
create mode 100644 lib/blake2.c
create mode 100644 lib/blake2.h
create mode 100644 lib/blake2b-ref.c
create mode 100644 lib/blake2s-ref.c
create mode 100644 proto/babel/auth.c
create mode 100644 proto/babel/packets.h
More information about the Bird-users
mailing list